WIRED: You Need to Update iOS, Android, and Chrome Right Now. “APRIL HAS BEEN a big month for security updates, including emergency patches for Apple’s iOS and Google Chrome to fix vulnerabilities already being used by attackers. Microsoft has released important fixes as part of its mid-April Patch Tuesday, while Android users across multiple devices need to make sure they are applying the latest update when it becomes available. Here are all the April updates you need to know about.”
Bleeping Computer: Google Chrome emergency update fixes zero-day exploited in attacks. “Google has released Chrome 98.0.4758.102 for Windows, Mac, and Linux, to fix a high-severity zero-day vulnerability used by threat actors in attacks.”
Vice: Google Is Forcing Me to Dump a Perfectly Good Phone. “Despite being just three years old, no Pixel 3 will ever receive another official security update. Installing security updates is the one basic thing everyone needs to do for their own digital security. If you don’t even get them, then you’re vulnerable to every security flaw discovered since your last patch. In response to an email asking Google why it stopped supporting the Pixel 3, a Googles spokesperson said, ‘We find that three years of security and OS updates still provides users with a great experience for their device.’” I’m using an iPhone 7 Plus as my phone. It came out in 2016.
Bleeping Computer: US emergency directive orders govt agencies to patch Log4j bug. “US Federal Civilian Executive Branch agencies have been ordered to patch the critical and actively exploited Log4Shell security vulnerability in the Apache Log4j library within the next six days. The order comes through an emergency directive issued by the Cybersecurity and Infrastructure Security Agency (CISA) today.”
TechRepublic: US government orders federal agencies to patch 100s of vulnerabilities. “In the latest effort to combat cybercrime and ransomware, federal agencies have been told to patch hundreds of known security vulnerabilities with due dates ranging from November 2021 to May 2022. In a directive issued on Wednesday, the Cybersecurity and Infrastructure Security Agency (CISA) ordered all federal and executive branch departments and agencies to patch a series of known exploited vulnerabilities as cataloged in a public website managed by CISA.”
Bleeping Computer: Emergency Google Chrome update fixes zero-days used in attacks. “Google has released Chrome 95.0.4638.69 for Windows, Mac, and Linux to fix two zero-day vulnerabilities that attackers have actively exploited.”
BetaNews: Microsoft releases KB5005565 and KB5005566 Windows 10 updates to fix PowerShell bug and more
BetaNews: Microsoft releases KB5005565 and KB5005566 Windows 10 updates to fix PowerShell bug and more . “With another Patch Tuesday rolling around, Microsoft has released a pair of new updates for Windows 10 — KB5005565 and KB5005566. Serving the same purpose, KB5005566 is available for Windows 10 version 1909, and KB5005565 is available for Windows 10 versions 2004, 20H2 and 21H1. These cumulative updates include security fixes, so they are important to install, but they also address non-security bugs including one affecting PowerShell.”
Ubergizmo: Microsoft, Google Release Urgent Update That Patches Browser Vulnerability. “If you are using either Microsoft Edge or Google’s Chrome, then you might want to update your browsers ASAP. This is because both companies have pushed out an urgent update for both their browsers due to a Level 4 Drive-by exploit that has been discovered that could lead to disastrous consequences.” I have yet to see a patch, but I’m on Linux, so YMMV.
From BetaNews with a side order of head-desk: PrintNightmare fixing KB5005033 update is causing performance issues in Windows 10. “Windows 10 users who have installed the KB5005033 update that was supposed to fix the PrintNightmare security flaw are reporting unwanted side effects. Among the problems being reported are issues with reduced performance, particularly in games.”
BetaNews: Microsoft finally fixes PrintNightmare vulnerability with KB5005031 and KB5005033 updates. “To help address the ongoing problems with the so-called PrintNightmare vulnerability (CVE-2021-34527), Microsoft has announced a change to the default behavior of the Point and Print feature in Windows. The change has been delivered via the KB5005033 and KB5005031 update and means that in order to install printer drivers, users will have to have administrative privileges.”
Bleeping Computer: Windows PetitPotam vulnerability gets an unofficial free patch. “A free unofficial patch is now available to block attackers from taking over domain controllers and compromising entire Windows domains via PetitPotam NTLM relay attacks. The PetitPotam attack vector that forces Windows machines to authenticate against threat actors’ malicious NTLM relay servers using the Microsoft Encrypting File System Remote Protocol (EFSRPC) was disclosed last month by security researcher Gilles Lionel (aka Topotam).”